Adding a password-protected user without interactive shell

[DeadMate]

Is it somehow possible to add such user without answering all the dialogs? I need it to be created using my API.

[randshell]

It's not currently possible without interactive input.
Related issue #261.

[angristan]

AFAIK, it is not currently possible to automate this. easy-rsa will ask for a password from stdin:

openvpn-install/openvpn-install.sh

Line 975 in ef37eb6

./easyrsa build-client-full "$CLIENT"

I wish we had a workaround.

[angristan]

Related:

• add --passin --passout for alternative pass src/dst OpenVPN/easy-rsa#242
• set password on command line OpenVPN/easy-rsa#103
• support from password read from ENV OpenVPN/easy-rsa#101
• Alternative passphrase input support OpenVPN/easy-rsa#18

[penCsharpener]

there is a workaround but it involves hacking easy-rsa
see this stackoverflow answer

in /etc/openvpn/easy-rsa/easyrsa find the function gen_req()
in line 641 (depends on your version) there is opts=""
edit it to read:

opts="-passout stdin"

now you can feed the script a text file as input
./openvpn-install.sh <textinput.txt

textinput contains

1
nameofclient
2
passwordofclient
passwordofclient

[penCsharpener]

it must be said that the openvpn-install.sh script won't function anymore as expected after that modification. Rather then being asked for the password twice when going through the interactive script I only need to type it once and it's visible as plaintext. But the resulting cert works just fine.
@DeadMate If you only ever run it through your api this might work for you.

however, we are working on a wrapper script, that modify easyrsa, then run openvpn-install.sh with piping in a textfile, then restores the orignal easyrsa file.

[skoam]

The following script modifies the first "opts=" statement found in the declaration of gen_req in easyrsa to prepend "-passout stdin". It stores the original next to easyrsa as "easyrsa.nostdin.bkp", which you could also use to restore the original file after any automation.

This is of course a bit of a hacky workaround, but it does the job.

#!/bin/bash

EASYRSA_EXECUTABLE="/etc/openvpn/easy-rsa/easyrsa"
EASYRSA_EXECUTABLE_BACKUP="$EASYRSA_EXECUTABLE.nostdin.bkp"

# Restore easyrsa to original state or create backup from original
if [ -f "$EASYRSA_EXECUTABLE_BACKUP" ]; then
	cp $EASYRSA_EXECUTABLE_BACKUP $EASYRSA_EXECUTABLE
else
	cp $EASYRSA_EXECUTABLE $EASYRSA_EXECUTABLE_BACKUP
fi

# Get Line Number of gen_req() {
GEN_REQ_LOCATION=$(cat $EASYRSA_EXECUTABLE | grep -n "gen_req() {" | awk "NR==1" | awk -F ':' '{print $1}')
# Get Line Number of first opts= after gen_req() {
OPTS_LOCATION=$(tail $EASYRSA_EXECUTABLE -n +$GEN_REQ_LOCATION | grep -n "opts=\"" | awk "NR==1" | awk -F ':' '{print $1}')

# Add Numbers to get global position of matched opts= statement 
COMBINED_LOCATION=$(($GEN_REQ_LOCATION+$OPTS_LOCATION-1))

# Add -passout stdin to opts=
RESULT=$(cat $EASYRSA_EXECUTABLE | sed -e "${COMBINED_LOCATION}s/.*opts=\"/\topts=\"-passout stdin /")

# Overwrite original easyrsa
echo "$RESULT" > $EASYRSA_EXECUTABLE

exit 0

[luizluca]

easyrsa can now accept passwords as arguments:
OpenVPN/easy-rsa@c794d5e

[angristan]

Awsome, thanks for letting us know. I won't have time to add this before a little while, but I'll gadly accept a PR.

[randshell]

With EasyRSA 3.0.7 it's possible to pass the password of the password protected client with a variable. @angristan you always wanted to do this so I leave it to you #160 (comment)

From EasyRSA 3.0.7 changelog: Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars

[x1hash]

Been any update on this?

[angristan]

No, feel free to open a PR.

[dorancemc]

pass the password with the var EASYRSA_PASSOUT, then run the command, this works for me.

MENU_OPTION="1" CLIENT="foo" PASS="2" EASYRSA_PASSOUT=pass:newpassword ./openvpn-install.sh

easy-rsa v3.1.2